I would like to add one more insight to this metadata server reachability issue.

At the time of booting an instance, it sends arp packets to figure out who has the gateway IP and who has the dhcp server IP. When the arp request is sent from the VM instance, the router should respond back with the mac address. So we have to ensure that the interface IP of neutron namespace router (which is the gateway for the VMs) and the IP of the physical interface that is pointing to the private network of VMs, are different.